Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointin

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointin

From:	Samuel Thibault
Subject:	Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Date:	Mon, 26 Aug 2019 00:54:03 +0200
User-agent:	NeoMutt/20170609 (1.8.3)

Hello,

Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
> > Did you make your test with commit 126c04acbabd ("Fix heap overflow in
> > ip_reass on big packet input") applied?
> 
> Yes, unfortunately it doesn't fix the issue.

Ok.

Could you try the attached patch?  There was a use-after-free.  Without
it, I can indeed crash qemu with the given exploit.  With it I don't
seem to be able to crash it (trying in a loop for several minutes).

Samuel

patch
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378), Philippe Mathieu-Daudé, 2019/08/22
- [Qemu-devel] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/22
  - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Samuel Thibault, 2019/08/22
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/23
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Samuel Thibault <=
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, P J P, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
    - Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload, Philippe Mathieu-Daudé, 2019/08/29
- [Qemu-devel] [RFC PATCH 2/2] Delay crash when mbufs are corrupted, Philippe Mathieu-Daudé, 2019/08/22

Prev by Date: Re: [Qemu-devel] [PATCH v2 2/2] iotests: Test allocate_first_block() with O_DIRECT
Next by Date: Re: [Qemu-devel] [PULL 07/15] audio: audiodev= parameters no longer optional when -audiodev present
Previous by thread: Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Next by thread: Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Index(es):
- Date
- Thread